White Paper Layer 7 Visibility and Control - Cisco Meraki · PDF fileLayer 7 Visibility and Control ... To provide rich traffic analysis capabilities, Meraki wireless, switching, and

  • View
    215

  • Download
    1

Embed Size (px)

Text of White Paper Layer 7 Visibility and Control - Cisco Meraki · PDF fileLayer 7 Visibility and...

  • White Paper

    Layer 7 Visibility and ControlFEBRUARY 2013

    This document highlights the foundation of Merakis self-learning layer 7 traffic analytics engine and the rich visibility and intuitive management that it facilitates.

  • Copyright

    2013 Cisco Systems, Inc. All rights reserved

    Trademarks

    Meraki is a registered trademark of Cisco Systems, Inc.

    Table of Contents 1 Introduction 3 2 Meraki Traffic Shaping Technology 5

    3 Management & Control 8

    4 Comparison with typical solutions 10

    5 Conclusion 11

    Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | sales@meraki.com2

  • 1 Introduction The Value of Application Visibility

    An increasing reliance on Internet access for corporate productivity has created an expectation of high performance and ubiquitous connectivity in the enterprise. In parallel, bring your own device (BYOD) and cloud computing trends have led to a rapid proliferation in the number of devices and applications used in enterprise networks. These factors can strain traditional networks and create issues such as bottlenecks in network performance. It is often considered important to deliver high performance and application optimization within the context of constrained costs, finite bandwidth capacity, and an expectation to deliver a minimum quality of service (QoS) for critical applications. Meeting these requirements can be challenging for budget and time-constrained IT departments.

    Two factors are critical for addressing these challenges: clear, concise insight into network performance, and an ability to enforce network policies that optimize the networks performance. Network admins must be armed with complete knowledge of network utilization, not only in terms of bandwidth, but also across all layers, even to the application level. Understanding the devices and users accessing specific applications, and the amount of time spent and traffic flowing on each, can provide valuable context to understand user behavior and prompt the design of effective network policies. Finally, a built-in toolset that allows for the creation and application of flexible policy sets can ensure that application information can be acted upon by the IT admin to help deliver optimal network performance.

    An emerging use of application visibility is to leverage this data to enhance customer engagement via interactive campaigns and targeted experiences. Understanding the flow of applications, users, and time spent can help the marketing department of a retail outlet or hotspot provider answer the age-old question: What are my users doing? This level of visibility and the actionable data it provides is yet another reason to require application-layer visibility in networking infrastructure.

    Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | sales@meraki.com3

  • Merakis unique traffic analytics engine provides visibility across all layers of the network stack, ranging from the port and protocol layer up to the application layer (e.g., Facebook and YouTube). In addition, Merakis latest enhancements (released in 2013) include deep statistical analysis of parameters such as time spent per user and per application on a flow-by-flow basis; this provides valuable context on user behavior instead of an aggregate dump of all applications accessed on the network. Finally, Merakis ability to create Layer 7 application firewall and traffic rules and apply these on a per-group basis provides the network admin with a rich toolbox for customization and optimization of their network based on the analytics data presented. Layer 7 traffic analysis is available across Merakis wireless (MR), switching (MS) and security (MX) product lines, and traffic shaping is available on Merakis MR and MX product lines. This paper takes a closer look at this innovative functionality.

    Figure 1

    Traffic analysis and shaping engine

    The Value of Application Visibility (cont.)

    App Insight

    Content Insight

    User Insight

    Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | sales@meraki.com4

  • 2 Meraki Traffic Shaping Technology Deep Packet Inspection and Traffic Signatures

    To provide rich traffic analysis capabilities, Meraki wireless, switching, and security products perform deep-packet inspection (DPI) of traffic on the network on a flow-by-flow basis. This analysis is then uploaded in real-time to the Meraki cloud for statistical aggregation from all edge endpoints. Detailed information is made available to a network admin on their Meraki dashboard through customizable network and time formats. Merakis capabilities include an analysis of various elements, such as IP addresses, host names, and port ranges, which is combined with a behavioral analysis of each traffic flow. This facilitates a deeper categorization of traffic beyond just port or IP-based classification; examples include peer-2-peer (P2P) file-sharing and social gaming sites that are constantly adding servers and cannot therefore be tracked simply by using IP addresses.

    The inspection of thousands of traffic patterns over several years led Meraki to create a database of traffic signatures that can be used to recognize network traffic at the application level. An especially challenging task is the recognition of peer-to-peer traffic, which has traditionally been very difficult to pin down due to the constantly changing IP addresses and port ranges; via careful analysis of torrent traffic streams, Meraki created a heuristic signature that recognizes short TCP sessions across a fleeting range of IP addresses, allowing for the classification of P2P traffic. Similar heuristics are applied in the absence of any specific identifying information for a range of applications; these heuristics comprise a library of Merakis traffic signatures, and are maintained in Merakis cloud, allowing for rapid updates based on the discovery and analysis of new traffic patterns. In addition, the ability for the network admin to create custom signatures using host names, IP address ranges, and ports allows for tracking traffic to specific destinations. For example, an admin can create signatures to track activity such as employee access to a local web or email server.

    Figure 2

    Screenshot of Meraki dashboard showing

    breakdown of web traffic

    Granular Analytics

    New applications, protocols and traffic patterns are continuously emerging. While providing an overarching traffic signature can be a compelling way to reduce complexity, admins often desire deeper granularity and a more detailed breakdown of which IP addresses or host names were being accessed for traffic signatures such as miscellaneous web.

    The need to provide deeper visibility into traffic led to the development of a new classification scheme that allows for the dynamic creation of signatures based on host names and IP addresses. Examples include a signature for mail.company.com to provide visibility into unique traffic flows and a granular host name and IP address breakdown of a category such as Dropbox to allow deeper inspection of the specific IP addresses and host names contributing to this application. This breakdown is especially useful for broad categories such as Non-web TCP, and provides a detailed breakdown of all of the websites that were visited within this category. This new learning engine allows for the dynamic creation of traffic signatures based on traffic patterns, and provides deeper visibility to admins seeking to understand what their users are doing.

    Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | sales@meraki.com5

  • Deep Packet Inspection at Line Rate

    Leveraging powerful hardware components that were selected with rich capabilities such as traffic analysis in mind, Meraki products perform traffic analysis inspection and classification at line rate, ensuring no drop in performance when used in conjunction with the numerous other features available. For example, Merakis MX security appliance can run traffic shaping in conjunction with Auto VPN to dozens of other sites in a mesh VPN topology, all at line rate whilst passing hundreds of megabits of traffic. A careful selection and design of silicon components was required to tightly integrate hardware and software for optimized performance.

    Figure 3

    Highly optimized hardware

    and software integration

    allows for line-rate

    processing

    Integrated Cloud Management

    Merakis hardware products and cloud maintain a tight feedback loop through a highly compressed 1 kbps management tunnel, which includes traffic analytics and configuration information such as network settings. In addition to traffic signatures being pushed from the cloud to the edge and traffic flows data being pushed back to the cloud, additional context information is sent on a per-flow basis, including users and applications, and the per-user average and total user time spent on each application or website.

    Figure 4

    Cloud-based management and reporting

    Enhanced CPU: Layer 3-7 firewall and traffic shaping

    Additional memory for content filtering

    48 x 1 GbE Ports with 802.3af/802.3at PoE/PoE+

    Enhanced CPU/ memory Meraki cloud management

    Built in 4x 10 GbE SFP+ ports for core connectivity / stacking

    Enhanced CPU: Layer 3-7 firewall and traffic shaping

    3x3 MIMO, dual 802.11 radios with 3 spatial streams for up to 900 Mbps

    Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | sales@meraki.com6

  • The Meraki cloud leverages the processing capabilities of a distributed data center architecture to a

Search related